1. Who we are
"KPMG," "we," "our," and "us" refers to the group of companies that constitute KPMG in Portugal which include KPMG Portugal – S.G.P.S., S.A., KPMG & Associados – Sociedade de Revisores Oficiais de Contas, S.A. and KPMG Advisory - Consultores de Gestão, S.A.
KPMG is an affiliated with of KPMG International Cooperative ("KPMG International"), a Swiss entity. KPMG International provides no client services.
KPMG is the Responsible Entity or co-responsible for the collection and processing of your personal data, when deciding which data to collect, forms of processing and purpose of the data that is being processed.
Additionally, KPMG process personal data as a Processor Entity, on behalf and according to the instructions of other responsible entities, under the framework of our professional services.
2. Our commitment
If you are our client, prospective client, applicant, alumni, supplier, partner, or user of our websites or mobile apps, we recommend reading this document and the Terms and Conditions of our services.
KPMG promotes the protection of confidentiality and privacy of the information to us entrusted. As part of this core obligation, KPMG equally promotes the adequate protection and use of personal data (referred to as “personal data”, “personally identifiable information” or “IPIs”) collected through our websites.
3. What personal data do we collect and process
Essentially, an item of personal data is any information, which, directly or in aggregation with other information, can identify a natural person.
The following table summarises the main categories of personal data we process:
|Personal data category||Examples|
|Identification and contacts||Name, ID number, VAT number, photo, signature, address, phone number or e-mail.|
|Biographical data||Birth date, gender, citizenship, place of birth, civil status, family composition, educational qualifications, professional experience, LinkedIn profile or criminal record.|
|Financial data||IBAN, income or real estate/ financial assets.|
|Relationship with KPMG||Information regarding the attendance to KPMG events or promoted by KPMG, or business interactions between Data subjects and KPMG.|
|Opinions and preferences||Preferences regarding the sending of invitations and KPMG publications, comments from beneficiaries in social networks where KPMG is present, or responses to surveys.|
|Contents||Information included in written communications between Data subjects and KPMG or surveillance images.|
|Use of websites and apps||Websites visited, or information on equipment used (for example, IP address, geographical localization, browser used).|
While responsible or co-responsible entity, KPMG may also process other personal data, including special categories of information (for example, health information) when performing public interest activities, namely in the rendering Audit/Assurance Services or other professional services.
KPMG collects the above-mentioned personal data through the following means of collection:
|Means of collection||Examples|
|Information provided by Data subjects||Data or contents provided directly by the Data subjects (i) in their interaction with KPMG professionals, (ii) in letters or e-mails sent to KPMG, (iii) in the definition of preferences regarding KPMG communications, (iv) in attending events, (v) in the submission of KPMG applications, or (vi) in the answer to surveys.|
|Data collected in social networks||Data regarding the interaction by Data subjects in KPMG social networks or in public profiles of beneficiaries in social networks (for example LinkedIn, curriculum vitae for online application to a KPMG job, we will use the information you provide to verify the job opportunities available at KPMG).|
|Data collected from third parties||Data collected by KPMG from its customers while rendering professional services or from other third parties (e.g. Banco de Portugal (BdP), public authorities, insurance companies).|
|Persistent cookies||Data regarding the use of sites and KPMG apps (e.g. visited websites; user preferences), collected through KPMG cookies or from third parties.|
4. Collection and use of personal information
— IP addresses
An IP address is a number assigned to your computer whenever you access the internet. It allows computers and servers to recognize and communicate with one another. IP addresses from which visitors appear to originate may be recorded for IT security and system diagnostic purposes. This information may also be used in an aggregate form to conduct website trend and performance analysis.
Cookies may be placed on your computer or on an internet-enabled device whenever you visit us online. This allows the site to remember your computer or device and serves a number of purposes.
On some of our websites, a notification banner will appear requiring your consent to collect cookies. If you do not provide consent, your computer or internet-enabled device will not be tracked for marketing-related activities. A secondary type of cookie referred to as "user-input" cookies may still be required for necessary functionality. Such cookies will not be blocked through the use of this notification banner. Your selection will be saved in a cookie and is valid for a period of 90 days. If you wish to revoke your selection, you may do so by clearing your browser's cookies.
Although most browsers automatically accept cookies, you can choose whether or not to accept cookies via your browser's settings (often found in your browser's Tools or Preferences menu). You may also delete cookies from your device at any time. However, please be aware that if you do not accept cookies, you may not be able to fully experience some of our websites' features.
Further information about managing cookies can be found in your browser's help file or through sites such as www.allaboutcookies.org.
Below is a list of the types of cookies used on our websites:
|Purpose||Description||Type & Expiry|
|Performance (i.e., User's Browser)||Our websites are built using common internet platforms. These have built-in cookies which help compatibility issues (e.g., to identify your browser type) and improve performance (e.g., quicker loading of content).||
Deleted upon closing the browser
|Social sharing||We use third party social media widgets or buttons to provide you with additional functionality to share content from our web pages to social media websites and e-mail. Use of these widgets or buttons may place a cookie on your device to make their service easier to use, ensure your interaction is displayed on our webpages (e.g. the social share count cache is updated) and log information about your activities across the Internet and on our websites. We encourage you to review each provider's privacy information before using any such service. For further details on our use of social media widgets and applications, see below.||Persistent, but will be deleted automatically after two years if you no longer visit kpmg.com|
Other third party tools and widgets may be used on our individual web pages to provide additional functionality. Use of these tools or widgets may place a cookie on your device to make their service easier to use, and ensure your interaction is displayed on our webpages properly.
Cookies by themselves do not tell us your e-mail address or otherwise identify you personally. In our analytical reports, we may obtain other identifiers including IP addresses, but this is for the purpose of identifying the number of unique visitors to our websites and geographic origin of visitor trends, and not to identify individual visitors.
— Social media widgets and applications
KPMG websites may include functionality to enable sharing via third party social media applications, such as the Facebook Like button and Twitter widget. These social media applications may collect and use information regarding your use of KPMG websites (see details on 'Social Sharing' cookies above). Any personal information that you provide via such social media applications may be collected and used by other members of that social media application and such interactions are governed by the privacy policies of the companies that provide the application. We do not have control over, or responsibility for, those companies or their use of your information.
In addition, KPMG websites may host blogs, forums, crowd-sourcing and other applications or services (collectively "social media features"). The purpose of social media features is to facilitate the sharing of knowledge and content. Any personal information that you provide on any KPMG social media feature may be shared with other users of that social media feature (unless otherwise stated at the point of collection), over whom we may have limited or no control.
KPMG understands the importance of protecting children's privacy, especially in an online environment. In particular, our sites are not intentionally designed for or directed at children under the age of 13. It is our policy never to knowingly collect or maintain information about anyone under the age of 13, except as part of an engagement to provide professional services.
In general, you are not required to submit any personal information to KPMG online, but we may require you to provide certain personal information in order for you to receive additional information about our services and events. KPMG may also ask for your permission for certain uses of your personal information, and you can agree to or decline those uses. If you opt-in for particular services or communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in each communication. If you decide to unsubscribe from a service or communication, we will try to remove your information promptly, although we may require additional information before we can process your request.
Links to other sites
By registering on any KPMG website and then navigating to another KPMG website while still logged in, you agree to the use of your personal information in accordance with the privacy statement of the KPMG website you are visiting.
5. How we process personal data
The processing of data is an operation or set of operations performed over personal data, through automatic or manual means, including the collection, storage, usage, copy and transfer.
At KPMG we process personal data in a licit, loyal and transparent manner with specific purposes. The processing of additional secondary data will only be performed if (i) they are compatible with the authorized purposes and are communicated to Data subjects or (ii) if they are object of specific and explicit consent from the Data subjects.
The sections below describe the main purposes of processing in KPMG, in compliance with the respective lawfulness foundations.
Performance of a contract
KPMG processes the necessary data for the signature, execution or management of contracts where the data subject is a party, or pre-contractual proceedings at request of the Data subjects:
|Purpose of the processing||Examples|
|Client and engagement acceptance||Client acceptance, client continuance, engagement acceptance, in compliance with the KPMG policies and legal and regulatory rules (e.g. independence rules).|
|Contracting||Preparation, evaluation and signature of contracts and confidentiality agreements regarding the products and services to be provided by KPMG.|
|Service rendering||Performance of the service as agreed with Data subjects.|
|Invoicing and collection||Issuance of invoices and management collection.|
|Service contracting and payment to suppliers||Evaluation of suppliers, contracting, renegotiation and termination of contracts with suppliers, evaluation of services rendered and payment to KPMG suppliers and service providers.|
Compliance with legal or regulatory obligations
KPMG processes the data required to comply with the several legal and regulatory obligations to which is subject to, including the Commercial Code, Civil Code, Tax legislation, OROC regulation, legal framework of CMVM´s audit supervision, law on the prevention of money laundering and terrorism financing, international auditing standard 230 (ISA 230) and the international quality control standard 1 (ISQC 1):
|Purpose of the processing||Examples|
|Reporting of information and reply to requests from regulators and public authorities||Reporting of mandatory information and reply to several requests from regulators (e.g. CMVM, OROC) and public authorities (e.g. BdP, Courts, Portuguese Tax Authorities (AGT)).|
|Prevention of money laundering crimes and terrorism financing||Monitoring of lists of persons and entities subject to commercial or financial sanctions, or identification and reporting of suspicious operations.|
|Accounting and Financial Reporting||Accounting record and preparation and disclosure of KPMG financial statements and of the transparency report.|
|File management||Collection, classification and storage of physical and electronic documents with personal data in the file management, which constitute mandatory evidence within KPMG activity.|
KPMG processes the data required when performing public interest activities, namely the provision of Audit/Assurance services, taking in consideration the specific characteristics of the client, the international auditing standards (IAS) and KPMG´s auditing methodology.
KPMG processes the data required to safeguard its legitimate interests:
|Purpose of the processing||Description|
|Accounts and contact management||Segmentation of clients, pipeline and client contacts management, prospective clients, partners and suppliers.|
|Preparation of proposals||Preparation and submission of proposals to clients or prospective clients.|
|Direct Marketing||Sending communications (e-mails) to clients, prospective clients and alumni related to the promotion of events, disclosures of technical publications and service/products promotion.|
|Events management||Planning and organization of events, either by KPMG or supported by KPMG.|
|Quality control||Quality control of services provided by KPMG to its clients, in accordance with international standards on auditing, guidelines from OROC and KPMG’s international policies.|
|Management control||Preparation of KPMG’s management control information.|
|Litigation management||Exercise of contractual or legal and defence rights in case of emerging judicial or extra-judicial litigations.|
|Reporting to KPMG International||Preparation of several reports to KPMG International, in accordance with the obligations associated to KPMG license.|
|Internal Audit||Collection and data analysis within the framework of KPMG’s internal audit processes and operations.|
|Management and security of information systems and facilities||Processes of management and monitoring of information systems and technological infrastructures, recording of access and usage of systems, processes of detection, analysis and response to potential data breaches, identity control and accesses to KPMG’s information systems, or physical accesses control to facilities.|
|Video surveillance||Video surveillance of KPMG’s physical facilities.|
Consent from the Data subjects
KPMG may process other personal data when in possession of explicit consent, written, verbal or through unquestionable, informed, free action and for specific purposes of the data subjects:
|Purpose of the processing||Examples|
|Evaluation of customer satisfaction||Evaluation of customer satisfaction through interviews or specific questionnaires.|
|Market research||Collection and personal data analysis within studies or market analysis.|
|Customize the experience in websites||Use of persistent cookies for activity registration and user preferences in KPMG sites.|
6. What are the retention and personal data processing periods?
KPMG retains and processes data information through the necessary period of time and as long as the legitimate purposes for which the data is processed subsists, in order to comply with contractual, legal and regulatory obligations, or for protection of the legitimate interests of KPMG:
|Purpose of retention||Retention period|
|Legal, tax or regulatory obligation, or contract compliance||10 years after the end of the contract or document date, wherever applicable. KPMG may retain the personal data for higher periods based on legitimate interest, namely KPMG´s defence in judicial proceedings.|
|Retention of video surveillance||30 days.|
|Maintenance of client or prospective clients preferences||Indefinite, namely for information regarding the beneficiaries preferences in relation to the communication of events or sharing of KPMG publications.|
7. What are your rights as data subjects
KPMG ensures the exercise of the rights of data subjects regarding their treatment.
|Rights of the Subject||Description|
|Access||Data subjects have the right to access their personal data that have provided to KPMG or that result from the use of KPMG services, as well as to their conditions for treatment.|
|Correction||Data subjects have the right to request inaccurate or incomplete information to be corrected (e.g. address, e-mail address, and telephone contacts.)|
|Objection or withdrawal of consent||Data subjects have the right to oppose to date processing based on the legitimate interest of KPMG or to withdraw their consent for data processing based on consent.|
|Right to be forgotten||Data subjects have the right to request for the erasure of their personal data held by KPMG, provided that there is no valid grounds for their retention (e.g. compliance with a legal requirement, KPMG's defence in a judicial proceedings).|
|Limitation||Data subjects have the right to request for the limitation of data processing, in particular where they have contested the accuracy of personal data or objected to the processing and during the assessment period of the request from KPMG.|
|Portability||Customers have the right to receive the personal data they have provided to KPMG or that result from the use of KPMG services.|
|Not being subject to exclusively automated decisions||Customers have the right to request human intervention or to challenge decisions based on fully automated personal data processing.|
|Submit a complaint to CNPD (National Data Protection Commission)||Data subjects have the right to submit complaints to CNPD about matters related to the exercise of their rights and the protection of their personal data.|
Data subjects may exercise their data protection rights, free of charge, by letter to headquarters address: Edifício FPM 41 – Avenida Fontes Pereira de Melo, 41 – 15º, 1069-006 Lisboa, or by e-mail to firstname.lastname@example.org. KPMG will respond to requests within 30 days, except for particular complex requests. In such cases, KPMG shall inform the data subjects of the need to extend the deadline for reply for a maximum additional period of 30 days and of its reasons.
Where KPMG considers that it is not possible to cover the requests, data subjects shall be informed of KPMG's reasons within the time period set out.
8. What personal data do we share
KPMG may transfer personal data to third parties within its legitimate business activities.
|Member firms of the KPMG International network||Entities belonging to the KPMG International network, namely in the context of joint participation in the rendering of professional services. In such cases, the transfer of personal data is subject to a specific agreement which includes terms relating to the protection of personal data.|
|Regulators and other public authorities||CMVM (Portuguese Securities Market Commission), Banco de Portugal, Portuguese Tax Authorities (AGT), Courts, whenever there is a legal or regulatory requirement.|
Service providers acting on behalf of KPMG or under our instructions (e.g. document and file management service providers).
In these cases, the transfer of personal data is subject to a specific contract which ensures that these entities treat the data in accordance with prior instructions of KPMG and comply with all legal data protection requirements.
In its relations with third parties, KPMG may transfer data to countries outside the European Union provided that it has the necessary trust for personal data to be properly protected in accordance with the standards formally defined by a contract or equivalent instrument.
9. How we protect personal data
The protection of confidentiality and data integrity is (i) a legal and regulatory requirement, and (ii) one of the pillars for building trust between KPMG and its customers, employees, regulatory authorities and business partners.
KPMG has implemented appropriate organizational measures, processes and security systems to protect your personal data from unauthorized destruction, change and access, including: (i) access control mechanisms to information systems and data; (ii) specialised security systems (e.g. firewalls, antivirus, vulnerability management); (iii) mechanisms that record all actions carried out by employees and other users of information systems; (iv) data encryption, pseudonymization and anonymization mechanisms; (v) encrypting measures on equipment and mobile devices; (vi) physical security measures to protect facilities (e.g. physical access control, video surveillance); and (vii) a program to raise awareness and train KPMG professional and third parties in the context of information security and personal data protection.
KPMG reserves the right at all times to make changes to this policy in order to reflect the best market practices or future legislative or regulatory changes. When we make changes to this statement, we review the “update” date at the top of this page.
11. Our contacts
KPMG is committed to protect the privacy of your personal data.
In any case, you always have the right to file a complaint with the National Data Protection Commission in Portugal.